Subversion resilient attestation for trusted execution environments

ABSTRACT

A computer-implemented method includes receiving an original message from a trusted execution environment. The original message includes an original digital signature authored by the trusted execution environment. The method includes computing a proof of knowledge for the original digital signature and modifying the original message by replacing the original digital signature with the proof of knowledge.

CROSS-REFERENCE TO RELATED APPLICATION

The present application claims priority to U.S. Provisional Application No. 62/733,660, which was filed on Sep. 20, 2018 and is hereby incorporated by reference.

FIELD

Among other things, the present application discloses subversion resilient attestation for trusted execution environments.

BACKGROUND

Remote attestation is a mechanism offered by modern Trusted Execution Environments (TEEs) that allows remote parties to verify that a host is running binary within a TEE. Remote attestation can be realized through a digital signature scheme. For example, a trusted component on the host computes a digest of the binary, e.g., using a hash function, and signs the digest. The signature is then sent to a remote verifier that checks: (1) that the digest of the binary matches a reference value (e.g., a reciprocally computed hash); and (2) the validity of the received signature by using the verification key corresponding to the signing key of the trusted component.

Because TEEs are involved in privacy-sensitive applications, remote attestation schemes are designed with anonymity protections for the hosts. In particular, remote attestation schemes use group signatures that allows a signing host to remain anonymous within a group of authorized signers (hosts). In these implementations, a remote verifier learns that a given binary is running within a TEE-enabled host, but it does not learn the particular host where the binary is running. Enhanced Privacy ID (EPID) is a group signature scheme with revocation capabilities that is used for remote attestation in modern TEEs such as Intel SGX.

Signature schemes are susceptible to subversion attacks, i.e., where a malicious party surreptitiously modifies a cryptographic scheme with the intent of subverting its security. For example, an adversary may subvert the signing algorithm to exfiltrate information to verifying parties. Subversion attacks can be particularly relevant for remote attestation mechanisms of modern TEEs for mainly two reasons. First, the implementation details of the algorithms that constitute the signature scheme may be unavailable for inspection. Second, a subverted signature scheme may exfiltrate the private signing key, or any other identifying information of the host, thereby compromising host anonymity.

Existing approaches to enhance signature schemes with subversion-resilience rely either on unique signatures or on randomizable signatures. A signature scheme produces unique signatures if, with a fixed verification key, each message has one and one only valid signature. A signature scheme is randomizable if, given a valid signature σ on a message m, any computer can produce a valid signature σ′ on m, such that σ′ is indistinguishable from a fresh signature on m. For example, Giuseppe Ateniese, Bernardo Magri, and Daniele Venturi, “Subversion-Resilient Signature Schemes,” 22nd ACM Conference on Computer and Communications Security, pp. 364-375 2015 (2015)—the entire contents of which are hereby incorporated by reference herein—has shown that unique signatures are resilient to signing algorithm subversion, as are randomizable signatures if a source of trusted randomness is available to the party that randomizes the signature.

SUMMARY

An embodiment of the present invention provides a computer-implemented method that includes receiving an original message from a trusted execution environment. The original message includes an original digital signature authored by the trusted execution environment. The method includes computing a proof of knowledge for the original digital signature and modifying the original message by replacing the original digital signature with the proof of knowledge.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the present invention will be described in even greater detail below based on the exemplary figures. The invention is not limited to the exemplary embodiments. All features described and/or illustrated herein can be used alone or combined in different combinations in embodiments of the invention. The features and advantages of various embodiments of the present invention will become apparent by reading the following detailed description with reference to the attached drawings which illustrate the following:

FIG. 1 is a block diagram of an exemplary authentication system;

FIG. 2 is a block diagram of an exemplary authentication method; and

FIG. 3 is a block diagram of an exemplary processing system.

DETAILED DESCRIPTION

TEEs, such as Intel SGX, allow remote verifiers to check that a known piece of code is running untampered within a TEE-enabled host. This can be achieved through a trusted system component that certifies (i.e., signs) code running in a local TEE. TEEs can rely on a group signature scheme with revocation capabilities known as Enhanced Privacy ID (EPID). Group signatures appear in remote attestation to anonymize hosts. For example, a remote verifier learns that a piece of code is running within a TEE-enabled host by inspecting a group signature, but the remote verifier does not learn the particular TEE-enabled host running the code.

As described above, existing TEE signature schemes are not subversion-resistant. That is, if the signing algorithm is subverted, the TEE subsystem may exfiltrate identifying information via the signatures it produces. The present application discloses embodiments for providing subversion-resilience to group signature schemes that are not unique/randomizable (e.g., existing TEE signature schemes), thereby making the remote attestation mechanism of modern TEEs robust to signing algorithm subversion attacks. Therefore, the present invention provides a subversion-resilient remote attestation for Trusted Execution Environments (TEEs).

Embodiments of the present invention modify TEE signature schemes to make them subversion-resistant. Embodiments of the present invention provide mechanism to enhance EPID with resilience against subversion attacks. In embodiments of the present invention, a host retains the signature produced by the TEE and provides a verifier with a zero-knowledge proof of knowledge of a valid signature as output by the TEE.

The present invention provides a mechanism to provide subversion resilience to signature schemes used for remote attestation of TEEs that are not unique nor randomizable. Furthermore, the present invention enables a subversion resilient EPID signature scheme. According to an embodiment of the present invention, a host retains a signature generated on a reference binary by the TEE. To offer the verification functionality required for remote attestation, the host uses the signature on the binary provided by the TEE to compute a zero-knowledge proof of knowledge of that signature. Due to the soundness of the proof, a verifier learns that the reference binary is running within a TEE. Due to the zero-knowledge property of the proof, no further information is exfiltrated to the verifier. In an embodiment, the present invention accounts for the revocation mechanisms currently used in EPID. In an embodiment, the present invention modifies the host and the verifier without modifying the existing TEE.

An embodiment of the present inventions provides a method for subversion resilient attestation for trusted execution environments, which includes the following operations: (1) replacing the EPID signature provided by a TEE during remote attestation with a proof of knowledge of that signature; and (2) randomizing the revocation token of EPID provided by a TEE platform during remote attestation before sending it to a verifier.

An embodiment of the present invention provides a method of attestation for a trusted execution environment (TEE) that includes: deploying, by a host having thee TEE, a reference binary in the TEE; receiving, by the host, a request for remote attestation of the reference binary from a remote verifier; issuing, by the TEE of the host, a group signature having a revocation token on the reference binary; withholding, by the host, the group signature; creating, by the host, a proof of knowledge of the group signature; randomizing, by the host, the revocation token; and sending, by the host, the proof of knowledge and the randomized revocation token to the remote verifier. In an embodiment, the group signature may be an Enhanced Privacy Identification (EPID) signature.

An embodiment of the present invention provides a system for subversion resilient attestation for trusted execution environments, the system including a host that is a TEE-enabled platform and a verifier that is remote from the host. The host deploys a reference binary in a TEE subsystem. The remote verifier issues a request for remote attestation of the reference binary. The TEE subsystem on the host issues a (EPID) signature on the reference binary; the signature contains a revocation token that will be used in case this signature will be placed in a revocation list. The host withholds the signature and creates a proof of knowledge of such signature. The host randomizes the revocation token. The host sends to the verifier the proof of knowledge on the signature and the randomized revocation token. The verifier checks the proof of knowledge and retains the revocation token for revocation, if needed.

An embodiment of the present invention provides a host that includes a processor and a memory, the memory having processor executable instructions that, when executed by the processor, cause the processor to perform the following operations for attestation for a trusted execution environment (TEE): deploying a reference binary in the TEE; receiving a request for remote attestation of the reference binary from a remote verifier; receiving, from the TEE, a group signature having a revocation token on the reference binary; withholding the group signature; creating a proof of knowledge of the group signature; randomizing, the revocation token; and sending the proof of knowledge and the randomized revocation token to the remote verifier.

An embodiment of the present invention provides a non-transitory computer readable medium having processor executable instructions that, when executed by a processor, causes the processor to perform the following operations for attestation for a trusted execution environment (TEE): deploying, by a host having a TEE, a reference binary in the TEE; receiving, by the host, a request for remote attestation of the reference binary from a remote verifier; receiving, from the TEE of the host, a group signature having a revocation token on the reference binary; withholding, by the host, the group signature; creating, by the host, a proof of knowledge of the group signature; randomizing, by the host, the revocation token; and sending, by the host, the proof of knowledge and the randomized revocation token to the remote verifier.

Disclosed is a computer-implemented method including: receiving an original message from a trusted execution environment, the original message including an original digital signature authored by the trusted execution environment; computing a proof of knowledge for the original digital signature; and modifying the original message by replacing the original digital signature with the proof of knowledge.

In an embodiment, the method includes: receiving a request for remote attestation of a reference binary from a remote verifier; calculating, with the trusted execution environment and in response to the remote attestation request, the original digital signature based on the reference binary. The original digital signature includes an original revocation token, and the modifying of the original message includes replacing the original revocation token with a randomized revocation token. The method further includes transmitting, to the verifier, the modified original message including the proof of knowledge and the randomized revocation token.

In an embodiment, the original message includes an original revocation token prepared by the trusted execution environment and the method includes: randomizing the original revocation token; modifying the original message by replacing the original revocation token with the randomized revocation token.

In an embodiment, the original message includes a destination address and the method includes transmitting the modified message to the destination address. In an embodiment, the original revocation token is randomized by modifying one or more fields of the original revocation token based on a randomly selected parameter.

In an embodiment, the trusted execution environment locally stores a trusted private key, the trusted execution environment authors the original digital signature with the trusted private key, and the randomized revocation token includes parameters sufficient to revoke the trusted private key. In an embodiment, a host processing system includes an intermediate processing system and the trusted execution environment and the intermediate processing system performs the receiving, the computing, and the modifying.

In an embodiment, the method includes: receiving a request from a verifying processing system for remote attestation of a reference binary; and deploying the reference binary in the trusted execution environment based on the received request.

In an embodiment, the original message includes a digest computed by the trusted execution environment based on the reference binary. In an embodiment, the digest includes a hash of the reference binary.

Disclosed is a processing system including one or more processors configured to: receive an original message from a trusted execution environment, the original message including an original digital signature authored by the trusted execution environment; compute a proof of knowledge for the original digital signature; and modify the original message by replacing the original digital signature with the proof of knowledge.

In an embodiment, the one or more processors are configured to: receive a request for remote attestation of a reference binary from a remote verifier; calculate, within the trusted execution environment and in response to the remote attestation request, the original digital signature based on the reference binary. The original digital signature includes an original revocation token, and the one or more processors are configured to modify the original message by replacing the original revocation token with a randomized revocation token. The one or more processors may be further configured to transmit, to the verifier, the modified original message including the proof of knowledge and the randomized revocation token.

In an embodiment, the processing system includes an intermediate processing system and the trusted execution environment. At least one of the intermediate processing system and the trusted execution environment include the one or more processors.

Disclosed is a non-transitory computer-readable medium including code for configuring one or more processors to: receive an original message from a trusted execution environment, the original message including an original digital signature authored by the trusted execution environment; compute a proof of knowledge for the original digital signature; and modify the original message by replacing the original digital signature with the proof of knowledge.

In an embodiment, the non-transitory computer-readable medium includes code for configuring the one or more processors to: receive a request for remote attestation of a reference binary from a remote verifier; calculate, within the trusted execution environment and in response to the remote attestation request, the original digital signature based on the reference binary. The original digital signature includes an original revocation token, and the code for modifying the original message includes code for configuring the one or more processors to replace the original revocation token with a randomized revocation token. The code further configures the one or more processors to transmit, to the verifier, the modified original message including the proof of knowledge and the randomized revocation token.

Referring to FIG. 1, an authentication system 100 can include a host 110 (also called a host processing system), a remote verifier 120 (also called a verifying processing system), and an issuer/authority 130 (also called an issuing processing system). Host 110 (e.g., the host processing system) can include a TEE 112 (also called a secure enclave) and an intermediate processing system 114. Both TEE 112 and the intermediate processing system 114 can be discrete elements of host 110. TEE 112 can be isolated within host 110 such that information TEE 112 transmits must route through intermediate processing system 114. Host 110 can be distributed such that TEE 112 and intermediate processing system 114 are remote.

TEE 112 can periodically create a message for transmission to verifier 120. TEE 112 can be configured to create such an original message at the request of intermediate processing system 114 and/or verifier 120. The original message can include an original digital signature. TEE 112 can produce the original digital signature with an internally stored (e.g., hard-coded) first private key. The first private key may be one of a first group of private keys cryptographically paired with a first public key.

In the absence of subversion, verifier 120, upon receiving the original message, would only be able to confirm a private key within the first group authored the original digital signature. The verifier 120 would not be able to specifically identify the first private key as the author. However, as stated above, a TEE 112 may be compromised so as to encode uniquely identifying information within the original message (e.g., within the original digital signature of the original message).

Therefore, intermediate processing system 114 can be configured to intercept the message and replace the digital signature with a zero-knowledge proof of knowledge (“ZKPK”) such as a non-interactive zero knowledge (“NIZK”) proof.

Intermediate processing system 114 can forward the sanitized message to verifier 120. By doing so, intermediate processing system 114 can prevent TEE 112 from leaking (exfiltrating) information that would uniquely identify host 110 through the digital signature. Therefore, intermediate processing system 114 can make TEE 112 subversion-resilient.

Verifier 120 can analyze the ZKPK to confirm that intermediate processing system 114 received an original message with a valid digital signature from TEE 112. Verifier 120 can perform an action based on such a confirmation. For example, verifier dispatch a secret message (e.g., a private symmetric key, an access token, etc.) to host 110 or a third-party processing system based on the confirmation.

In addition to the digital signature and underlying substantive content (e.g., a hash of binary present within TEE 112), the original message can include an original revocation token. In the absence of subversion, TEE 112 can randomly (e.g., pseudo-randomly) select the revocation token from a set of possibilities.

As with the digital signature, intermediate processing system 114 can substitute the original revocation token with a sanitized (i.e., modified) revocation token. Intermediate processing system 114 can do so by re-randomizing the original revocation token (e.g., by selecting another revocation token from the set of possibilities). By doing so, intermediate processing system 114 can prevent TEE 112 from leaking information that would uniquely identify host through the original revocation token.

The above functionality can be implemented through a signature scheme Σ including the following algorithms (also called protocols): Setup, Join, Sign, HostSetup, HostProve, Verify, RevokeP, and RevokeS.

Algorithm Σ.Setup can be run by the issuer (e.g., issuer 130 in FIG. 1) to setup the framework for the signature scheme. Σ.Setup can begin with an initialization algorithm: Init(1λ)→pub. This algorithm takes as input the security parameter λ and outputs public parameter pub. Σ.Setup can operate on public parameter pub to produce a group public key gpk and an issuer secret key isk: Setup(pub)→(gpk, isk). Group public key gpk and issuer secret key isk can form an asymmetric keypair. As shown in FIG. 1, the issuer 130 can be a processing system (called the issuing processing system) separate from both host 110 and verifier 120.

Σ.Join can be an interactive join protocol that enables a TEE to obtain group membership credentials. In an embodiment, Join_(I,H) _(i) _(,M) _(i)

(gpk, isk), gpk, gpk)

→

b, (b, hvt_(i)), sk_(i)

, a three-party protocol between the issuer

, a host H_(i) (e. g., intermediate processing system 114) and a chip

_(i) (e.g., TEE 112). The issuer inputs (gpk, isk), while the other parties only input gpk. In an embodiment, at the end of the protocol,

obtains a bit b indicating if the protocol terminated successfully,

_(i) (e.g., TEE 112) obtains private key sk_(i), and H_(i) obtains a host verification token hvt_(i) and the same bit b as

. As further discussed below,

d, e, f

←P_(A,B,C)

a, b, c

can be an interactive protocol P between parties A, B and C where a, b, c (resp. d, e, f) are the local inputs (resp. outputs) of A, B and C, respectively.

A TEE 112 equipped with group membership credentials can produce signatures via Σ.Sign (also called Σ. Sig): Sign(gpk, sk_(i), bsn, M, SigRL)→⊥/(σ, π_(σ)). According to this embodiment, the signing algorithm takes as input the group public key gpk, a private key sk_(i), a basename bsn (e.g., an arbitrary string), a message M, and a signature-based revocation list SigRL. The signing algorithm outputs a signature σ and a proof π_(σ), or an error ⊥ (if SigRL contains a signature produced with private key sk_(i)).

Σ.HostSetup can be performed once per host. In an embodiment, this algorithm sets up (e.g., configures intermediate processing system 114 to perform) a non-interactive zero knowledge (“NIZK”) proof system for the relation R_(EPID). R_(EPID) can contain all tuples of the following elements: a group public key gpk, a list of revoked signatures SigRL, a basename bsn, a message M, and a randomized revocation token (B′, K′). Witnesses can be valid signatures out by Sign(gpk, sk_(i), bsn, M, SigRL) using a membership key sk_(i) and a random element α.

In an embodiment detail, a tuple ((gpk, SigRL, bsn, M, (B′, K′)), (σ, α))∈R_(EPID) if and only if:

-   -   1. SigRL can be parsed as {B_(i), K_(i)}_(1≤i≤|SigRL|).     -   2. σ=(σ₀, σ₁, . . . , σ_(|SigRL|))     -   3. σ₀=(B, K, T, c, S_(x), S_(f), S_(a), S_(b)) where:         -   a. c=H(gpk, B, K, T, R₁′, R₂′, m)         -   b. R₁′=B^(sf)K^(−c)         -   c. R₂′=e(T, g₂)^(−sx)e(h₁, g₂)^(sf)e(h₂, g₂)^(sb)e(h₂,             w)^(sa)(e(g₁, g₂)/e(T, w))^(c)     -   4. σ_(i) is a valid zero-knowledge proof for SPK{(f}:         K=B^(f)ΛK_(i)< >B_(i) ^(f)}(m), for 1≤i≤|SigRL|. SPK can be a         signature of knowledge (e.g., a proof of knowledge where the         hash used as a challenge is a function of message M).     -   5. B′=B^(α)     -   6. K′=K^(α)

By performing items 1-4, intermediate processing system 114 can ensure that the original signature is valid and by performing items 5-6, intermediate processing system 114 can ensure that the sanitized pair (B′, K′) is a valid re-randomization of a revocation token. In an embodiment, the zero-knowledge proof is a function of α. For example, a witness for R_(EPID) can be a pair σ, α

During Σ.HostSetup, intermediate processing system 114 can be configured to perform Init(1^(λ))→ω, where λ is the above-discussed security parameter applied by the issuer during Σ.Setup, then set gpk*=(ω, gpk), where gpk is the group public key generated during Σ.Setup. Intermediate processing system 114 can send gpk* to the verifier 120. Intermediate processing system 114 may perform the algorithm at every interaction with a verifier (i.e., for every message sent to a verifier) in case the host 110 requires any pairs of interactions with a given verifier to be unlinkable.

Intermediate processing system 114 can perform algorithm Σ.HostProve(σ)→π (also called HostSanitize) to compute the proof of knowledge (e.g., NIZK) of a signature. Given a signature σ on a message M as authored by TEE 112, intermediate processing system 114 can parse σ as (σ₀, σ_(i), . . . , σ_(n)) and σ₀ as (B, K, T, c, S_(x), S_(f), S_(a), S_(b)). Intermediate processing system 114 can perform the following:

-   -   1. Compute (B′, K′)=(B^(α), K^(α)) for a random α in Z_(p)     -   2. Run Prove(ω, (gpk, SigRL, m, (B′, K′)), σ)→π     -   3. Sends α*=((B′, K′), π)

Algorithm Σ.Verify(gpk*, m, α*, SigRL, Priv-RL)→Σ0/1 can be performed by verifier 120. In an embodiment, the algorithm parses α* as ((B′, K′), π) and gpk* as (ω, gpk). If ProofVerify(ω, (gpk, m, (B′, K′), π)→1 and K< >B^(fi) for each f_(i)∈Priv-RL, then the algorithm outputs 1; otherwise the algorithm outputs 0. In an embodiment, the verifier applies α*. The notation α* does not imply a relationship between α* and α, although in an embodiment, α* proves knowledge of α.

Issuer 130 can perform algorithm Σ.RevokeP(gpk, Priv-RL, sk_(i))→Priv-RL′. Issuer 130 can take revocation list Priv-RL and secret key sk_(i)=f_(i), and outputs Priv-RL′=Priv-RL∪{f_(i)}

Issuer 130 can perform algorithm Σ.RevokeS(gpk, Priv-RL, SigRL, m, σ)→SigRL′/⊥. Given revocation list SigRL and a signature σ*, if Σ.Verify(gpk*, m, α*, SigRL, Priv-RL)→1, then output SigRL′=SigRL∪{(B′, K′}; otherwise output ⊥.

FIG. 2 illustrates an exemplary remote attestation method. At block 202, a verifying processing system 120 can demand remote attestation of software (e.g., reference binary) stored on a host processing system 110 as a condition precedent to performing an activity (e.g., issuing a symmetric key or other valuable data to host processing system 110) Host processing system 110 can include TEE 112 and intermediate processing system (“IPS”) 114.

At block 204, intermediate processing system 114 can receive the demand, and in response, forward the subject of the demand (e.g., software such as reference binary present within intermediate processing system 114) to TEE 112 for computation of a digest authenticating the software. The digest can be, for example, a hash of the software computed according to a hashing algorithm supplied by the verifying processing system 120.

At block 206, TEE 112 can compute the digest. At block 208, TEE 112 can create a message addressed to verifying processing system 120. The message can include an original digital signature authored by TEE 112 and an original revocation token. TEE 112 can compute the digital signature based on group public key gpk, secret key sk_i, basename bsn, substantive content of the message M (e.g., the digest), and the signature-based revocation list SigRL. TEE 112 can transmit the message to verifying processing system 120.

At block 210, intermediate processing system 114 can intercept the message. At block 212, intermediate processing system 114 can compute a sanitized digital signature and a sanitized revocation token. Intermediate processing system 114 can compute the sanitized digital signature based on the group public key gpk, the basename bsn, the substantive message content M (e.g., the digest), the original digital signature, the signature-based revocation list SigRL, and the host verification token hvt_i. Intermediate processing system 114 can compute the sanitized revocation token based on the original revocation token and a randomly selected parameter. In an embodiment, intermediate processing system 114 can raise each parameter of the original revocation token (e.g., B and K) to the power of the randomly selected parameter.

At block 212, intermediate processing system 114 can replace the original digital signature and the original revocation token with the sanitized digital signature and the sanitized revocation token. The original digital signature and original revocation token can be stripped from the message. At block 214, intermediate processing system 114 can transmit the sanitized (also called modified) message to verifying processing system 120. The sanitized message can include the substantive message content M (e.g., the digest), the sanitized digital signature, and the sanitized revocation token. The substantive message content M can be omitted in scenarios where it is already available at the verifier.

At block 216, verifying processing system 120 can confirm that the sanitized digital signature includes a proof of knowledge of the original digital signature and that the substantive message content M (e.g., the digest) is an expected value (e.g., by computing a reciprocal hash of the reference binary). At block 218, and based on confirming that the sanitized digital signature and the substantive message content are appropriate, verifying processing system 120 can supply information to intermediate processing system 114 (e.g., a symmetric key, a digital signature, etc.).

The following description is of proof of relations over discrete logarithms and signature of knowledge according to an embodiment.

A proof of knowledge of a discrete logarithm of an element y of a multiplicative group G with respect to a base g is denoted as PK{(x): y=g^(x)}. See, e.g., Claus Schnorr, “Efficient Identification and Signatures for Smart Cards,” Journal of Cryptology 4(3) (1991) (the entire contents of which are hereby incorporated by reference herein). This can be accomplished as follows. The prover picks random r and sends t=g^(r). The verifier responds with random challenge c. The prover sends s=r+cx. The verifier accepts the proof if g^(s)=ty^(c).

A proof of knowledge of a representation of an element y∈G with respect to several bases (g₁, . . . , g_(v))∈G^(v) can be denoted PK{(x₁, . . . , x_(v)): y=g^(x1)g^(x2) . . . g^(xv−1)g_(xv)}. See, e.g., David Chaum, Jan-Hendrik Evertse, and Jeroen van de Graaf, “An Improved Protocol for Demonstrating Possession of Discrete Logarithms and Some Generalizations,” EUROCRYPT (1987) (the entire contents of which are hereby incorporated by reference). The prover picks random r₁, . . . , r_(v) and sends t₁, . . . t_(v) where t_(i)=g^(ri). The verifier responds with random challenge c. The prover sends s₁, . . . , s_(v) where s_(i)=r_(i)+cx_(i). The verifier accepts the proof if Π_(1≤i≤v)gv_(i) ^(si)=Π_(1≤i≤v)t_(i)y^(c).

A proof of equality of discrete logarithms of two group elements y₁, y₂∈G to bases g₁, g₂∈G, can be denoted PK{(x): y₁=g₁ ^(x)Λy₂=g₂ ^(x)}. See, e.g., David Chaum and Torben Pedersen, “Wallet Databases with Observers,” CRYPTO (1992) (the entire contents of which are hereby incorporated by reference). The prover picks random r, computes t₁=g₁ ^(s), t₂=g₂ ^(s), and sends (t₁, t₂). The verifier responds with random challenge c. The prover sends s=r+cx. The verifier accepts the proof if g^(s)t₁y₁ ^(c) and g^(s)=t₂y₂ ^(c).

A proof of inequality of discrete logarithms of two group elements y₁, y₂∈G to bases g₁, g₂∈G, is denoted PK{(x): y₁=g₁ ^(x)Λy₂< >g₂ ^(x)}. See, e.g., Jan Camenisch and Victor Shoup, “Practical Verifiable Encryption and Decryption of Discrete Logarithms,” CRYPTO (2003) (the entire contents of which are hereby incorporated by reference). The prover picks random r and sends c=(g₂/y₂)^(r). Prover and verifier execute the protocol PK{(a, b): C=g₂ ^(a)(1/y₂)^(b)Λ1=g₁ ^(a)(1/y₁)^(b)}. The verifier accepts if it accepts the previous proof and if C< >1.

The above interactive proofs may be converted into non-interactive proofs by replacing the verifier's challenge with a hash computed over the protocol transcript up to the point where the challenge must be provided. For example, in the proof of knowledge of a discrete logarithm of an element y∈G with respect to a base g, the challenge can be computed as c=H(g, y, t). Further, the proof can be converted in a signature of knowledge on a message m, if the input to the hash function includes m. The notation SPK{(a): y=ga}(m) is used to denote a signature on a message m obtained in this way.

The following description is of Non-Interactive Zero-Knowledge Proof of Knowledge according to an embodiment.

A non-interactive zero-knowledge (NIZK) proof system for a relation R can be a tuple (Init, Prove, VerifyProof) of probabilistic polynomial-time algorithms such that: Init on input a security parameter outputs a common reference string ω; Prove(ω, x, w) on input (x, w)∈R, outputs a proof π; VerifyProof(ω, x, π) given an instance x and a proof π, outputs 0 (reject) or 1 (accept). A NIZK is sound if a prover has negligible chances of producing convincing proofs for statements outside of R, while the NIZK is zero-knowledge if a verifier learns nothing from a proof (apart from the fact that the proof is valid). NIZK for arbitrary relations are available, for example Jens Groth and Amit Sahai, “Efficient Non-interactive Proof Systems for Bilinear Groups,” IACR Cryptology ePrint Archive 155 (2007)—the entire contents of which are hereby incorporated by reference.

The following description is of a BBS+ Signature scheme according to an embodiment:

An EPID can be built on top of a BBS+ signature scheme. See, e.g., Man Ho Au, Willy Susilo, and Yi Mu, “Constant-Size Dynamic k-TAA,” SCN (2006) (discussing BBS+ signatures—the entire contents of which are hereby by incorporated by references herein).

Here, (G₁, G₂) are a suitable bilinear group pair of some prime order p. And, e:G₁×G₂→G_(T) are a computable bilinear pairing function. The BBS+ scheme can unfold as follows:

BBS.KeyGen(1^(λ))→(pk, sk). The key generation algorithm takes as input security parameter λ. It randomly picks (g₁, h₁, h₂)∈G₁ ³, g₂∈G₂, and γ∈Z_(q). It sets w=g₂ ^(γ) and outputs pk=(p, G₁, G₂, G_(T), g₁, h₁, h₂, w) and sk=γ.

BBS.Sign(pk, sk, m)→σ. The signing algorithm takes a pair of public-private keys and a message m. It outputs a signature σ=(A, x, y), where (x, y) are random elements of Z_(p)* and A=(g₁h₁ ^(m)h₂ ^(y))^(1/(x+γ)).

BBS.Verify(pk, m, σ)→0/1. The verification algorithm outputs 1 (i.e., valid signature) if e(A, g₂ ^(x)w)=e(g₁h₁ ^(m)h₂ ^(y), g₂); otherwise it outputs 0.

The following description is of Enhanced Privacy ID (EPID) according to an embodiment:

Enhanced Privacy ID (EPID) is a group signature scheme with provisions for revocation. EPID includes four different types of entities: (1) an issuer I who manages group membership; (2) a revocation manager R who manages revocation of group members (As shown in FIG. 1, I and R can be the same entity); (3) a set of group members; and (4) a set of verifiers.

Group membership is regulated by I, who provides a member M_(i) with a secret key sk_(i) via a join protocol. Member M_(i) uses its secret key to issue signatures that anybody can verify. A valid signature convinces the verifier that the signer is a member of the group, but does not allow the verifier to learn M_(i)'s identity.

A revocation manager R can, if needed, revoke group membership. In particular, EPID provides two different kind of revocation lists: one is called Priv-RL and is constituted by the secret keys of the revoked members, while the other is called SigRL and includes (part of the) signatures generated by revoked members. The latter is used when a member must be revoked, but its private key is not available.

Notation:

In the following, <c, d>←P_(A,B)<a, b> is referred to as an interactive protocol P between parties A and B, where A's private input is a and B's private input is b. The protocol returns private output c to A and private output d to B.

EPID can be described as a tuple (Setup, Join, Sign, Verify, RevokeP, RevokeS) defined as follows:

Setup(1^(λ))→(gpk, isk). This algorithm is run by the issuer I. It takes a security parameter λ, as input and outputs a group public key gpk and an issuer secret key isk.

<⊥, sk_(i)>←Join_(I,Mi)<(gpk, isk), gpk>. This is an interactive protocol between issuer I and prospective member M_(i). Both parties input the group public key, while the issuer also inputs its secret key. At the end of the protocol the issuer outputs nothing (⊥) while member M_(i) outputs secret key sk_(i).

Sign(gpk, sk_(i), m, SigRL)→⊥/σ. The signing algorithm takes as input the group key public gpk, signing key sk_(i), a message m, and a signature revocation list SigRL. It outputs either a valid signature σ or an error message ⊥.

Verify(gpk, Priv-RL, SigRL, m, σ)→0/1. The signature verification algorithm takes as input the group public key gpk, both revocation lists Priv-RL and SigRL, a message m, and a signature σ. It outputs 1 if σ is a valid signature on m; otherwise it outputs 0.

RevokeP(gpk, Priv-RL, sk_(i))→Priv-RL′. This algorithm outputs an updated revocation list by adding secret key sk_(i) to the input list Priv-RL.

RevokeS(gpk, Priv-RL, SigRL, m, σ)→SigRL′/⊥. If signature σ is valid for message m, this algorithm outputs an updated revocation list by adding a part of σ to the input list Priv-RL; otherwise the algorithm outputs an error message ⊥.

The following description is of an instantiation of Enhanced Privacy ID (EPID) according to an embodiment.

An example instantiation of EPID—adopted by Intel SGX—is discussed in Ernie Brickell and Jiangtao Li, “Enhanced Privacy ID from Bilinear Pairing for Hardware Authentication and Attestation,” SocialCom/PASSAT (2010) (“Brickell”)—the entire contents of which is hereby incorporated by reference. NIZK—e.g., as proposed in Brickell—may be used by an embodiment of the present invention. At a high level, a dedicated service by the platform manufacturer acts as issuer and revocation manager. There may be several groups. However, without loss of generality, the present example assumes that there is only one group.

The issuer sets up the group via the Setup algorithm. Any platform can become a member of the group by choosing a secret key f, and engaging with the issuer I in the Join interactive protocol. During the protocol, the platform outputs a BBS+ signature σ=(A, x, y) over f, computed with the issuer secret key. The signature σ and the secret key f constitute the platform's credentials as a group member.

A signature by a TEE is essentially a zero-knowledge proof that the TEE has a BBS+ signature on its secret key f. Further, given a revocation list SigRL of signatures produced by revoked members, a valid signature must also include a proof that the secret key f may have not produced any of the signatures in SigRL. Finally, the TEE also picks a random base B, computes K=B^(f) and proves in zero-knowledge that K was computed correctly from B and f. The pair (B, K) is denoted as a revocation token; this is provided to the verifier and may be added to SigRL by the revocation manager R later on.

The following is an algorithm implemented by embodiments of the present invention:

Setup(1^(λ))→(gpk, isk). On input security parameter λ, it runs BBS.KeyGen(1^(λ))→(pk, sk) and sets gkp=pk and isk=sk.

<⊥, sk_(i)>←Join_(I,Mi)<(gpk, isk), gpk>. This is an interactive protocol between platform M_(i) and issuer I that unfolds as follows:

-   -   1. M_(i) picks (f, y′)∈Z_(p) ² and computes t=h₁ ^(f)h₂ ^(y)′         and produces a proof π=PK{(f, y):t=h₁f₂ ^(y)′}.     -   2. The issuer verifies π, computes A=(g₁h₁ ^(m)h₂         ^(y)″)^(1/(x+γ″)) where (x, y″) are random elements of Z_(p),         and outputs (A, x, y)     -   3. M computes y=y′+y″ and checks that e(A, g₂ ^(x)w)=e(g₁h₁         ^(m)h₂ ^(y), g₂). It outputs sk_(i)=(A, x, y, f).

Sign(gpk, sk_(i), m, SigRL)→⊥/σ. Given the group public key gpk, a member's credentials sk_(i)=(A, x, y, f) and a message m∈{0,1}*, the signing algorithm unfolds as follows:

-   -   1. Pick random B∈G_(T) and random a∈Z_(p) and compute K=B^(f),         b=y+ax, T=Ah₂ ^(a)     -   2. Compute SPK{(x, f, a, b):B^(f)=KΛe(T, g₂)^(−x)e(h₁,         g₂)^(f)e(h₂, g₂)^(b)e(h₂, w)^(a)=e(T, w)/e(g₁, g₂)}(m)         -   a. Compute R₁=B^(rf), R₂=e(T, g₂)^(−rx)e(h₁, g₂)^(rf)e(h₂,             g₂)^(rb)e(h₂, w)^(ra), where r_(x), r_(f), r_(a), r_(b) are             random elements of Z_(p).         -   b. Compute c=H(gpk, B, K, T, R₁, R₂, m) and s_(x)=r_(x)+cx,             s_(f)=r_(f)+cf, s_(a)=r_(a)+ca, s_(b)=r_(b)+cb.     -   3. Set σ₀=(B, K, T, c, S_(x), S_(f), S_(a), S_(b)).     -   4. Given SigRL={B_(i), K_(i)}_(1≤i≤|SigRL|), compute         σ_(i)=SPK{(f):K=B^(f)ΛK_(i)< >B_(i) ^(f)}(m) for 1≤i≤|SigRL|.     -   5. If any of the zero-knowledge proofs above fails, output ⊥,         otherwise output σ=(σ₀, σ₁, . . . , σ_(|SigRL|)).

Verify(gpk, Priv-RL, SigRL, m, σ)→0/1. Let σ=(σ0, σ1, . . . , σ|SigRL|) where σ0=(B, K, T, c, sx, sf, sa, sb).

-   -   1. Verify that (B, K, T, S_(x), S_(f), S_(a),         S_(b))∈G_(T)×G_(T)×G₁×Z_(p) ⁴.     -   2. Compute R₁′=B^(sf)K^(−c) and R₂′=e(T, g₂)^(−sx)e(h₁,         g₂)^(sf)e(h₂, g₂)^(sb)e(h₂, w)^(sa)(e(g₁, g₂)/e(T, w))^(c)     -   3. Verify that c=H(gpk, B, K, T, R₁′, R₂′, m).     -   4. Given SigRL={B_(i), K_(i)=B_(i) ^(fi)}_(1≤i≤|SigRL|), verify         that σ_(i) is a valid zero-knowledge proof for         SPK{(f}:K=B^(f)ΛK_(i)< >B_(i) ^(f)}(m), for 1≤i≤|SigRL|.     -   5. For each f_(i)∈Priv-RL, check that K< >B^(fi).

RevokeP(gpk, Priv-RL, sk_(i))→Priv-RL′. Output Priv-RL′=Priv-RL∪{sk_(i)}.

RevokeS(gpk, Priv-RL, SigRL, m, σ)→SigRL′/⊥. If S_(SGX). Verify(gpk, Priv-RL, SigRL, m, σ)→1, then output SigRL′=SigRL∪{(B′, K′)}; otherwise output ⊥.

Referring to FIG. 3, a processing system 300 can include one or more processors 302, memory 304, one or more input/output devices 306, one or more sensors 308, one or more user interfaces 310, and one or more actuators 312. Processing system 300 can be representative of each of host 110, TEE 112, intermediate processing system 113, verifier 120, and the issuer 130.

Processors 302 can include one or more distinct processors, each having one or more cores. Each of the distinct processors can have the same or different structure. Processors 302 can include one or more central processing units (CPUs), one or more graphics processing units (GPUs), circuitry (e.g., application specific integrated circuits (ASICs)), digital signal processors (DSPs), and the like. Processors 302 can be mounted on a common substrate or to different substrates.

Processors 302 are configured to perform a certain function, method, or operation at least when one of the one or more of the distinct processors is capable of executing code (e.g., interpreting scripts), stored on memory 304 embodying the function, method, or operation. Processors 302, and thus processing system 300, can be configured to perform, automatically, any and all functions, methods, and operations disclosed herein.

For example, when the present disclosure states that processing system 300 performs/can perform task “X” (or that task “X” is performed), such a statement should be understood to disclose that processing system 300 can be configured to perform task “X”. Processing system 300 are configured to perform a function, method, or operation at least when processors 302 are configured to do the same.

Memory 304 can include volatile memory, non-volatile memory, and any other medium capable of storing data. Each of the volatile memory, non-volatile memory, and any other type of memory can include multiple different memory devices, located at multiple distinct locations and each having a different structure. Memory 304 can include cloud storage.

Examples of memory 304 include a non-transitory computer-readable media such as RAM, ROM, flash memory, EEPROM, any kind of optical storage disk such as a DVD, a Blu-Ray® disc, magnetic storage, holographic storage, an HDD, an SSD, any medium that can be used to store program code in the form of instructions or data structures, and the like. Any and all of the methods, functions, and operations described in the present application can be fully embodied in the form of tangible and/or non-transitory machine-readable code (e.g., scripts) saved in memory 304.

Input-output devices 306 can include any component for trafficking data such as ports, antennas (i.e., transceivers), printed conductive paths, and the like. Input-output devices 306 can enable wired communication via USB®, DisplayPort®, HDMI®, Ethernet, and the like. Input-output devices 306 can enable electronic, optical, magnetic, and holographic, communication with suitable memory 304. Input-output devices 306 can enable wireless communication via WiFi®, Bluetooth®, cellular (e.g., LTE®, CDMA®, GSM®, WiMax®, NFC®), GPS, and the like. Input-output devices 306 can include wired and/or wireless communication pathways.

Sensors 308 can capture physical measurements of environment and report the same to processors 302. User interface 310 can include displays, physical buttons, speakers, microphones, keyboards, and the like. Actuators 312 can enable processors 302 to control mechanical forces.

Processing system 300 can be distributed. Processing system 300 can have a modular design where certain features have a plurality of the aspects shown in FIG. 3. For example, I/O modules can include volatile memory and one or more processors.

The following disclosure provides further description of exemplary embodiments of the invention.

Enhanced Privacy ID (EPID) is signature scheme underlying anonymous attestation in Intel SGX. Disclosed is a subversion resilient EPID scheme (or SR-EPID). SR-EPID provides the same functionality and security guarantees of the original EPID, despite a potentially subverted chip (e.g., TEE 112). In this design, the host (e.g., intermediate processing system 114 of host 110) acts as a “sanitizer” and ensures no covert channel between the chip (e.g., TEE 112) and the outside world both during enrollment and during attestation (i.e., when signatures are produced). It can do so by leveraging structure preserving signatures in combination with Groth-Sahai proof system. As used herein, the term host 110 can refer to both intermediate processing system 114 and TEE 112 or intermediate processing system 114 specifically.

The above-described approach has a number of advantages. First, the host (e.g., intermediate processing system 114) bears no secret information—hence, a memory leak does not erode security. Further, the role of sanitizer may be distributed in a cascade fashion among several parties (e.g., multiple components of intermediate processing system 114) so that sanitization becomes effective as long as one of the parties has access to a good source or randomness. This approach is suited for corporate environments where security gateways process outgoing messages before they are released. The signing protocol can be non-interactive, thereby minimizing latency during signature generation. The instantiation of SR-EPID is secure against adaptive corruptions.

Different from existing approaches, signatures in SR-EPID can be produced by the chip via a non-interactive algorithm. The host can be leveraged to ensure security despite a subverted chip, but is not required to store a secret outside of TEE 112. In SR-EPID the host can act as a sanitizer: it runs a special verification of the signature produced by the chip; if this verification passes, the hosts strips off a piece of the signature, and forwards a re-randomization of the remaining part to the verifier (e.g., verifier 120).

The disclosed approach comes with multiple benefits. First, signature generation can be non-interactive and the communication flow can be unidirectional (from the chip to the host, on to the verifier)—just like the original EPID scheme and its instantiation within Intel SGX. This decreases latency and provides more flexibility in the protocol flow as the sanitization of a signature does not need to be done online. Non-interactive signature generation places a higher toll on the signer, but this is not an issue for secure hardware like Intel SGX that leverages the full power of the main processor.

Another benefit is that the host (i.e., intermediate processing system 114) holds no secret and only needs to store a verification key, which can even be made public without invalidating anonymity or unforgeability. This means that if a memory leak occurs on the host, one has nothing to recover but public information that is useless even if the chip is subverted. This property does not hold in existing approaches, where an attacker may ship a subverted hardware with a hardcoded signing key share, and a memory leak on the host would allow to get the host's share of the signing key; once the full signing key is known, unforgeability and anonymity are essentially lost.

In an embodiment, the host needs to have access to good randomness that should not be leaked; this is to re-randomize the signatures produced by a possibly subverted chip. However, the re-randomization is non-interactive and requires no long-term secret. Therefore, re-randomization can be executed by multiple parties in a cascade fashion in such a way that the signature is properly re-randomized as long as at least one of these parties has good randomness.

This modus operandi may fit corporate environments where hosts themselves may not be trusted with preventing information exfiltration, and security checks are carried out by one or more company gateways. It is not clear how to achieve such “fault tolerance” in various existing split-signature approaches. One may split the signing key across several parties, but the non-interactive nature of the signing protocol would lead to high latency for signature generation.

An embodiment formalizes the notion of Subversion-Resilient EPID schemes and includes a construction based on bilinear pairings. The construction leverages structure preserving signatures in combination with Groth-Sahai proof system and achieves security against adaptive corruptions.

In an embodiment consistent with FIG. 1, the issuer authority

130 (e.g., Intel in case of SGX) manages group(s) and certifies secret keys. A group member is a platform

(labeled host 110 in FIG. 1) including a host

(labeled intermediate processing system 114 in FIG. 1), and a chip

(labeled TEE 112 in FIG. 1) holding the signing key. In case of SGX, the chip

is the so-called quoting enclave, whereas the host

is constituted by the remaining hardware and software on the platform.

The quoting enclave can be the only component within host H with access to the attestation (i.e., EPID) signing key. This certified secret key never leaves the chip as it features tamper-resistant storage. Platform authentication by remote verifiers

is achieved by having the platform issuing a signature on a (challenge) message. By verifying the validity of the signature, the verifier is assured that the platform is a valid group member but cannot identify the platform among those belonging to the same group. Arrows in FIG. 1 depict available communication channels; all communication between the chip and the outside world is mediated by the host (i.e., intermediate processing system 114). The same model holds for anonymous attestation using TPMs; in this case, the chip is the TPM and the host is any other hardware and the software on the same platform.

In order to guarantee security in the presence of a subverted chip

, host to “sanitizes” signatures produced by the chip so to eliminate any covert channel between the chip and the outside world.

A covert channel could, for example, leverage nonces chosen by the chip during signature generation. Alternatively, a subverted chip may run the join protocol—when the private key is certified by the group manager—with a private key known to the adversary; later on, the adversary may simply use this known private key to break platform anonymity (since, by definition, private key based revocation allows a verifier to tell if a signature has been produced with a given private key). Another option is for the chip to behave honestly during the join protocol, but later use a preloaded private key to produce signatures (since platform anonymity must hold also against a malicious group authority, it is possible for the hardware to be preloaded with one or more certified private keys). The adversary may use that known (preloaded) key and a signature to break platform anonymity.

To deal with these issues, an embodiment of SR-EPID is designed so that (i) the host (e.g., intermediate processing system 114) participates to the join protocol contributing to the private key of the chip, (ii) each signature output by the chip (e.g., TEE 112) carries a proof (for the host to verify) that the private key used for signing is the very same one certified during the join protocol, and (iii) the host sanitizes signatures to avoid covert channel based on maliciously-sampled nonces.

d, e, f

←P_(A,B,C)

a, b, c

is an interactive protocol P between parties A, B and C where a, b, c (resp. d, e, f) are the local inputs (resp. outputs) of A, B and C, respectively. As discussed below, an embodiment of SR-EPID can include algorithms (also called protocols) Join, Init, Setup, Sig, Ver, and Sanitize. All the algorithms except Init take one or more public parameters generated by Init as an input. For convenience, this input is implicit in the following description.

Init(1^(λ))→pub. This algorithm takes as input the security parameter λ and outputs public parameters pub.

Setup(pub)→(gpk, isk). This algorithm takes the public parameters pub and outputs a group public key gpk and an issuing secret key isk for the issuer I.

Join_(I,H) _(i) _(,M) _(i)

(gpk, isk), gpk, gpk)

→

b, (b, hvt_(i)), sk_(i)

. This is a three-party protocol between the issuer

, a host

i and a chip

i. The issuer inputs (gpk, isk), while the other parties only input gpk. At the end of the protocol,

obtains a bit b indicating if the protocol terminated successfully,

i obtains private key ski, and

i obtains a host verification token hvti and the same bit b of

.

Sig(gpk, sk_(i), bsn, M, SigRL)→⊥/(σ, π_(σ)). The signing algorithms takes as input the group public key gpk, a private key sk_(i), a basename bsn, a message M, and a signature based revocation list SigRL. It outputs a signature σ and a proof π_(σ), or an error ⊥ (if SigRL contains a signature produced with sk_(i)).

Ver(gpk, bsn, M, σ, SigRL, PrivRL)→0/1. The verification algorithm takes in input the group public key gpk, a basename bsn, a message M, a signature σ, a signature based revocation list SigRL, and a private key based revocation list PrivRL. It outputs 0 or 1 if σ is respectively an invalid or a valid signature on M.

Sanitize (gpk, bsn, M, (σ, π_(σ)), SigRL, hvt_(i))→⊥/σ′. The sanitization algorithm takes as input the group public key gpk, a basename bsn, a message M, a signature σ with corresponding proof π_(σ), a signature based revocation list SigRL, and a host verification token hvt_(i). It outputs either ⊥ or a sanitized signature σ′.

Link(gpk, bsn, M₁, σ₁, SigRL₁, M₂, σ₂, SigRL₂)→0/1. The linking algorithm takes as input the group public key gpk, a basename bsn, and two message-signature-SigRL triples M₁, σ₁, SigRL₁ and M₂, σ₂, SigRL₂. It outputs 1 if both signatures are valid and were created, on the same basename, by the same platform; it outputs 0 otherwise.

In an embodiment, PrivRL is a set of private keys {sk_(i)}i, and SigRL is a set of triples {(bsn_(i), M_(i), σ_(i))} i, each including (e.g., consisting of) a basename, a message and a signature.

Correctness: An SR-EPID scheme satisfies correctness if any signature produced by a non-revoked platform passes the verification procedure. More formally, for all pub←Init(1^(λ)), all (gpk, gsk)←Setup(pub), all

b, (b, hvt), sk

←Join

(gpk, gsk), gpk, gpk)

such that b=1, and for any basename bsn, message M, private-key revocation list PrivRL and signature revocation list SigRL, and any signature σ←Sanitize(gpk, bsn, M, Sig(gpk, sk, bsn, M, SigRL), SigRL, hvt) the following expression is obtained where Σ is the set of signatures produced with sk: Ver(gpk,bsn,M,σ,SigRL,PrivRL)=1⇒(sk∉PrivRL)Λ(Σ∩SigRL=∅)

An exemplary construction includes the following template: (I) The issuer

keeps a secret key isk of a (structure-preserving) signature scheme and, in an embodiment, the secret key of a platform is a signature σ_(sp) on a Pedersen commitment [t]₁ whose opening y is known to the platform only (in other words σ_(sp) is a blind signature on y). (II) The chip generates a signature on a message M by creating a signature of knowledge for M of a signature σ_(sp) made by

on a commitment [t]₁ that opens to y. To glue the message M with σ_(sp) the proof is created using a labeled NIZK, where the label is, indeed, the message M.

A feature for preventing subversion attacks is to let the host

re-randomize every signature produced by the chip

, eliminating in this way the possibility that the randomness chosen by

in the signature of knowledge be a covert channel. Technically, this is achieved by using re-randomizable NIZKs.

This feature, however, can be insufficient to counter other possible subversion attacks. Not only the signatures, but also the execution of the Join protocol can give rise to a covert channel between the chip and the adversary. For example, the chip

may choose a hardcoded secret y as its secret platform key. For this, the host

also contributes to this key. And more in general potential covert channels in the Join protocol can be eliminated by letting the host re-randomize any message and NIZK that go from the chip to the issuer.

Another potential attack vector is that after the Join protocol is over, a subverted chip may use a completely different secret key y′ to generate signatures. In particular a chip subverted by a malicious issuer may come with such y′ together with a valid signature σ′_(sp) for it. To contrast this class of attacks,

can be required to output, for each signature σ, a proof π_(σ) that it is generated with the same secret key obtained Join.

can check π_(σ) using a dedicated verification token (also obtained at the end of the Join protocol); if the check passes,

strips off π_(σ), and returns a re-randomization of σ.

Disclosed are another set of techniques to reconcile an extensive use of (Groth-Sahai) NIZKs with the goal of obtaining an efficient SR-EPID scheme.

An embodiment requires two seemly conflicting properties of NIZK proof systems. On the one hand, the embodiment extracts from the malicious platforms the secret keys after the join protocols are executed; on the other hand, the embodiment uses zero-knowledge and strong derivation privacy to disable any covert channel from an honest platform with a subverted chip. The embodiment can rely on a simulation-extractable (and malleable) NIZK scheme. In an embodiment, any re-randomization algorithm is able to change the hash value to a fresh one without the knowledge of the witness, which is in contrast with the special soundness of the sigma-protocols.

In a construction, the expensive use of simulation-extractable (and malleable) GS proofs is avoided by using a novel combination of (plain) GS proofs with the random oracle model. At the beginning of the join protocol, the issuer chooses a fresh identifier id which the parties hash with a random oracle J, and its output is used as a fresh common-reference string. All the NIZKs sent by the platform during Join will use this fresh common reference string. In this way, by programming the random oracle, in the reduction one can adaptively choose the flavor of common reference string needed, depending on the kind of corruption of the platform.

However, this strategy may only partially succeed when using GS proof systems. The random oracle can be used to program the part in

₁ of the common reference strings of a GS proof system. Interestingly, this still allows the technique to work if the relation's witnesses to be extracted are only in

₁.

A similar problem may arise for the NIZK proof system for generating the signatures: it can be desirable to use zero-knowledge and strong derivation privacy for all the signatures released by honest platforms with subverted chips, and be able to extract (one single) forged signature during the unforgeability experiment. An embodiment may be unable to afford to have all the elements of the witness be group elements in

₁. For this reason, disclosed are knowledge of a commitment [t]₁ and of its opening [y]₂. Unfortunately, this asymmetry cannot be broken when using Type-3 pairings.

To solve this problem a random oracle can be used together with ABO-NIZKs and the fact that, in the reduction, only one NIZK proof needs be extractable. An embodiment is configured to hash the signed message M (together with the basename bsn) using another random oracle H, and then use the label H (bsn, M) in the labeled NIZK. Abstractly, in the proof of security, by programming the random oracle H, the embodiment lifts the selective security offered by the ABO-NIZK systems to obtain adaptive security. For the disclosed instantiation based on the external Diffie-Hellman assumption, the computational complexity of an ABO-NIZK prover (and verifier) may be only three exponentiations less efficient than a not-labelled GS-NIZK, while the size of the NIZK proofs remains the same.

Building Blocks. In an embodiment, a scheme works over bilinear groups generated by a generator

, and it makes use of the following building blocks:

[First building block] A structure-preserving signature scheme

=(KGen_(sp), Sig_(sp), Ver_(sp)) where messages are elements of

₁ and signatures are in

₁ ^(l) ¹ ×

₂ ^(l) ² .

[Second building block] An ABO label-based re-randomizable NIZK Π_(sign) with label space being {0, 1}^(λ) and for the relationship

_(sign) defined as:

$\left\{ {\begin{matrix} {\left( {{gpk},\lbrack b\rbrack_{1},{SigRL}} \right),} \\ \left( {\lbrack t\rbrack_{1},\sigma_{sp},\lbrack y\rbrack_{2}} \right) \end{matrix}\text{:}\mspace{14mu}\begin{matrix} {\lbrack b\rbrack_{1} \in \;{{span}\left( \left\lbrack {1,y_{0}} \right\rbrack_{1}^{T} \right)}} \\ {\forall{{i{\text{:}\left\lbrack b_{i} \right\rbrack}_{1}} \notin {{span}\left( \left\lbrack {1,y_{0}} \right\rbrack_{1}^{T} \right)}}} \\ {\lbrack t\rbrack_{t} = \left\lbrack {h^{T} \cdot y} \right\rbrack_{t}} \end{matrix}} \right\}$ Ver_(sp)(p k_(sp), [t]₁, σ_(sp)) = 1

In the above expression, SigRL={[b_(i)]₁}_(i=1) ^(r), gpk=([h]₁, pk_(sp)), and y=(y₀, y₁)^(T). To simplify the exposition, the description of the protocol below omits gpk (the public key of the scheme) from the instance and considers ([b]₁, SigRL) as an instance for the relation.

[Third building block] A malleable and re-randomizable GS-NIZK

_(com) for the following relationship

_(com) and set of transformations

_(com) defined below:

{([h]2, [t]2), [y]1:e([1]1, t[2]) = e([y]1, [h]2)} $\left\{ {T = {\left( {T_{x},T_{w}} \right)\text{:}\mspace{14mu}\begin{matrix} {{{{Tx}\left( {{\lbrack h\rbrack 2},{\lbrack t\rbrack 2}} \right)} = {\lbrack h\rbrack 2}},\left\lbrack {t + {h_{2} \cdot y^{\prime}}} \right\rbrack_{2}} \\ {{T_{w}\left( {\lbrack y\rbrack 1} \right)} = \left\lbrack {{y\; 0},{{y\; 1} + y^{\prime}}} \right\rbrack_{1}^{T}} \end{matrix}}} \right\}$

Namely, the relation proves the knowledge (in

₁) of the opening of a Pedersen's commitment (in

₂) whose commitment key is [h]₂. The transformation allows to re-randomize the commitment by adding fresh randomness. The common reference string of the NIZK is a vector in

₁ ^(l)×

₂ ^(l).

[Fourth building block] A

_(hvt) for the relation

_(hvt)={[x, xy, z, zy]1, y:x, y, z∈

_(p)}.

[Fifth building block] Three cryptographic hash functions H, J and K modeled as random oracles, where H:{0, 1}*→{0, 1}^(λ),

:{0, 1}*→

₁ ^(l) and K:{0, 1}^(λ)→

₁, and the value

∈

depends only on the NIZK

_(com).

The following describes an embodiment of a SR-EPID scheme:

Init(1^(λ))→pub: Generate description of a type-3 bilinear group bgp

(1^(λ)), the common reference strings crs_(sign)

_(sign). Init(bgp), crs_(com,2), tp_(s)

_(sign). Init ₂ (bgp), and crs_(hvt)

_(sign). Init(bgp), and sample h

. Output pub=(bgp, crs_(sign), crs_(com,2), crs_(hvt), [h]₁, [h]₂).

Setup(pub)→(gpk, isk): sample (sk_(sp), pk_(sp))

KGen_(sp)(bgp), and set isk:=sk_(sp), gpk:=pk_(sp).

(gpk, isk), gpk, gpk

→

b, (b, hvt), (sk, hvt)

: the platform

=(

,

) and issuer

start an interactive protocol that proceeds as described below:

-   -   1.         samples id         {0, 1}^(λ) and send id to         and         . All the parties compute crs_(com,1)←         (id) and set crs_(com):=(crs_(com,1), crs_(com,2)).     -   2.         samples y₀, c         , set hvt:=[c, cy₀]₁ and sends (y₀, hvt) to         .     -   3.         does as described below:         -   Sample             and compute [             ]₁:=(y₀,             )·[h]₁ and [             ]₂:=(y₀,             )·[h]₂;         -   ←             _(com). P(crs_(com), ([h]₂, [             ]₂), [y₀,             ]₁);         -   Send ([             ]₁, [             ]₂,             ) to             .     -   4.         checks         _(com). ∨(crs_(com), ([h]₂, [         ]₂,         )=1 and e([         ]₁, [1]₂)=e([1]₁, [         ]₂); if both checks pass:         -   Sample             and set [t]₁:=[             +h₂·             ]₁, [t]₂:=[             +h₂·             ]₂;         -   Compute             ←             _(com). ZKEval(crs_(com),             , [             ]₁);         -   Send             to             and ([t]₁, [t]₂,             ) to             .     -   5.         checks         _(com). ∨(crs_(com), ([h]₂, [t]₂),         )=1 and e([t]₁, [1]₂)=e([1]₁, [t]₂), and if the check passes         then         computes σ_(sp)←Sig_(sp)(sk_(sp), [t]₁) and sends σ_(sp) to         (through         ).     -   6.         does as described below:         -   Compute y₁=             +             and set y:=(y₀, y₁)^(T);         -   Verify (1) [h]₁ ^(T)·y=[t]₁ and (2) Ver_(sp)(pk_(sp), [t]₁,             σ_(sp))=1         -   If so, send the special message completed to             (through             ) and output sk:=([t]₁, σ_(sp), y) and hvt.     -   7.         outputs hvt.     -   8. If         receives the special message completed then outputs it.

Sig(gpk, sk, hvt, bsn, M, SigRL)→(σ, π_(σ)): On input gpk, sk=([t]₁, σ_(sp), y), the base name bsn∈{0, 1}^(λ), the message M∈{0, 1}^(m), and a signature revocation list SigRL={(bsn_(i), M_(i), σ_(i))}_(i∈[n])), generate a signature σ and a proof π_(σ) as follows:

-   -   1. Set [c]₁←K(bsn) and set [c]₁:=[c, c·y₀]₁;     -   2. Compute: π←Π_(sign). P (crs_(sign), H(bsn, M), ([c]₁, SigRL),         ([t]₁, [σ_(sp)]₁, [y]₂)) (the label is H(bsn, M));     -   3. Compute π_(σ)←Π_(hvt). P(crs_(hvt), (hvt, [c]₁), y₀);     -   4. Output σ:=([c]₁, π) and π_(σ).

Sanitize(gpk, bsn, M, (σ, π_(σ)), SigRL, hvt):Parse σ=([c]₁, π) and proceed as follows:

-   -   1. If         -   Π_(sign). ∨(crs_(sign), H(bsn, M), ([c]₁, SigRL), π)=0 or             Π_(hvt). ∨(crs_(hvt), (hvt, [c]₁), π_(σ))=0 then output ⊥.     -   2. Re-randomize π by computing π′←Π_(sign). ZKEval(crs, H(bsn,         M), ([c]₁, SigRL), π)     -   3. Output σ′:=([c], π′).

Ver(gpk, bsn, M, σ, PrivRL, SigRL):Parse σ=([c]₁, π) and PrivRL:={f₁, . . . , f_(n) ₁ }. Return 1 if and only if

-   -   1. K(bsn)=[c]₁,     -   2. ΠH_(sign). V(crs_(sign), H(bsn, M), ([c]₁, SigRL), π) and     -   3. For ∀sk∈PrivRL:let sk=([t]₁, σ_(sp), (y₀, y₁)) check (−y₀,         1)·[c]₁≠[0]₁.

Link (gpk, bsn, M₁, σ₁, SigRL₁, M₂, σ₂, SigRL₂)→0/1. Parse σ_(i)=([c_(i)]₁, π_(i)) for i=1, 2. Return 1 if and only if [c₁]₁=[c₂]₁ and both signatures are valid, i. e., Ver(gpk, bsn, M₁, σ₁, ∅, SigRL₁)=1 and Ver(gpk, bsn, M₂, σ₂, ∅, SigRL₂)=1.

While embodiments of the invention have been illustrated and described in detail in the drawings and foregoing description, such illustration and description are to be considered illustrative or exemplary and not restrictive. It will be understood that changes and modifications may be made by those of ordinary skill within the scope of the following claims. In particular, the present invention covers further embodiments with any combination of features from different embodiments described above and below. Additionally, statements made herein characterizing the invention refer to an embodiment of the invention and not necessarily all embodiments.

The terms used in the claims should be construed to have the broadest reasonable interpretation consistent with the foregoing description. For example, the use of the article “a” or “the” in introducing an element should not be interpreted as being exclusive of a plurality of elements. Likewise, the recitation of “or” should be interpreted as being inclusive, such that the recitation of “A or B” is not exclusive of “A and B,” unless it is clear from the context or the foregoing description that only one of A and B is intended. Further, the recitation of “at least one of A, B and C” should be interpreted as one or more of a group of elements consisting of A, B and C, and should not be interpreted as requiring at least one of each of the listed elements A, B and C, regardless of whether A, B and C are related as categories or otherwise. Moreover, the recitation of “A, B and/or C” or “at least one of A, B or C” should be interpreted as including any singular entity from the listed elements, e.g., A, any subset from the listed elements, e.g., A and B, or the entire list of elements A, B and C. 

What is claimed is:
 1. A computer-implemented method comprising: receiving, with an intermediate processing system, an original message from a trusted execution environment, the original message comprising an original digital signature authored by the trusted execution environment; computing, with the intermediate processing system, a zero-knowledge proof of knowledge for the original digital signature without accessing a private key and without accessing a share of a private key; and modifying the original message by replacing the original digital signature with the proof of knowledge, wherein the method further comprises: receiving a request for remote attestation of a reference binary from a remote verifier; calculating, with the trusted execution environment and in response to the remote attestation request, the original digital signature based on the reference binary, wherein the original digital signature comprises an original revocation token and the modifying of the original message comprises replacing the original revocation token with a randomized revocation token; and transmitting, to the verifier, the modified original message comprising the proof of knowledge and the randomized revocation token.
 2. The method of claim 1, wherein the original message comprises the original revocation token prepared by the trusted execution environment and the method comprises: randomizing the original revocation token; modifying the original message by replacing the original revocation token with the randomized revocation token.
 3. The method of claim 2, wherein the original message comprises a destination address and the method comprises transmitting the modified message to the destination address.
 4. The method of claim 3, further comprising randomly selecting a parameter, wherein the original revocation token is randomized by modifying one or more fields of the original revocation token based on a randomly selected parameter.
 5. The method of claim 4, wherein the trusted execution environment locally stores a trusted private key, the trusted execution environment authors the original digital signature with the trusted private key, and the randomized revocation token includes parameters sufficient to revoke the trusted private key.
 6. The method of claim 1, wherein a host processing system comprises the intermediate processing system and the trusted execution environment, and the intermediate processing system performs the receiving, the computing, and the modifying.
 7. The method of claim 1, comprising: deploying the reference binary in the trusted execution environment based on the received request from the remote verifier.
 8. The method of claim 7, wherein the original message comprises a digest computed by the trusted execution environment based on the reference binary.
 9. The method of claim 8, wherein the digest comprises a hash of the reference binary.
 10. The method of claim 1, wherein the original digital signature cannot be derived from the proof of knowledge.
 11. A processing system comprising: one or more hardware processors configured to: receive an original message from a trusted execution environment, the original message comprising an original digital signature authored by the trusted execution environment; compute a zero-knowledge proof of knowledge for the original digital signature such that the proof of knowledge is computed without accessing a private key and without accessing a share of a private key; and modify the original message by replacing the original digital signature with the proof of knowledge wherein the one or more processors are further configured to: receive a request for remote attestation of a reference binary from a remote verifier; calculate, within the trusted execution environment and in response to the remote attestation request, the original digital signature based on the reference binary, wherein the original digital signature comprises an original revocation token and the one or more processors are configured to modify the original message by replacing the original revocation token with a randomized revocation token; and transmit, to the verifier, the modified original message comprising the proof of knowledge and the randomized revocation token.
 12. The processing system of claim 11, comprising an intermediate processing system and the trusted execution environment, wherein at least one of the intermediate processing system and the trusted execution environment comprise the one or more processors.
 13. A non-transitory computer-readable medium comprising code for configuring one or more processors to: receive an original message from a trusted execution environment, the original message comprising an original digital signature authored by the trusted execution environment; compute a zero-knowledge proof of knowledge for the original digital signature such that the proof of knowledge is computed without considering a private key and without considering a share of a private key; and modify the original message by replacing the original digital signature with the proof of knowledge, wherein the non-transitory computer-readable medium further comprises code for configuring the one or more processors to: receive a request for remote attestation of a reference binary from a remote verifier; calculate, within the trusted execution environment and in response to the remote attestation request, the original digital signature based on the reference binary, wherein the original digital signature comprises an original revocation token and the code for modifying the original message comprises code for configuring the one or more processors to replace the original revocation token with a randomized revocation token; and transmit, to the verifier, the modified original message comprising the proof of knowledge and the randomized revocation token.
 14. The processing system of claim 11, wherein the original digital signature cannot be derived from the proof of knowledge. 